package com.clstu.statement;

import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.sql.*;
import java.util.Properties;
import java.util.Scanner;

/**
 * Statement
 * 老版本的东西,执行sql语句的对象
 * 演示Statement接口存在的注入问题(而且性能和效率也不高)
 */
public class Statement_ {
    public static void main(String[] args) throws IOException, ClassNotFoundException, SQLException {
        Properties properties = new Properties();
        properties.load(new FileInputStream("src\\mysql.properties"));
        String user = properties.getProperty("user");
        String password = properties.getProperty("password");
        String url = properties.getProperty("url");
        String driver = properties.getProperty("driver");

        Class.forName(driver);
        Connection connection = DriverManager.getConnection(url, user, password);
        Statement statement = connection.createStatement();//得到statement对象
        Scanner scanner = new Scanner(System.in);

        System.out.print("请输入用户名:");
        String name = scanner.nextLine();//注意这里不能用next(),next()读到空格或者'会自动结束,后面读不到了,nextLine读到换行才结束
        System.out.print("请输入密码:");//  当输入万能用户名: 1' or
        String pwd = scanner.nextLine();//      万能密码: or '1'='1 的时候,都能成功登陆 .,这就是sql注入!!!!!(甚至可能破坏你的数据)
        String sql = "select * from us where name = '"+name+"' and pwd = '"+pwd+"'";//生成sql语句
        System.out.println(sql);
        ResultSet resultSet = statement.executeQuery(sql);

        if(resultSet.next()){//如果有结果,就登陆成功
            System.out.println("登录成功");
        }else {
            System.out.println("登录失败");
        }
        //关闭资源
        resultSet.close();
        statement.close();
        connection.close();
    }
}
